10 questions to ask your business about your GDPR preparations

25th May 2018. This is the date that many Data Protection, Governance, Compliance and Marketing people have got pinned up above their desks. In fact, many different job roles in organisations of all shapes and sizes are involved in preparing for “GDPR Day”.

We believe that the General Data Protection Regulation (GDPR) presents a great opportunity for organisations, but there is still lots to do, with less than a year to go before the EU GDPR regulation enters UK law.

What “lots” actually means will vary wildly. Some organisations will be updating Privacy Policies, internal training and processes such as their Subject Access Request (SAR) response whilst others will be very much starting from scratch with a full Data Governance-led approach; considering the people, processes, policies and technologies that will help them align with the GDPR.

Whatever stage you feel your organisation is at, there are always going to be some unexpected or unknown events that pop up. As with any major change, it’s worth regularly questioning yourself to find and quantify these potential issues.

How well prepared are you for GDPR compliance?

To help get a broad view of your readiness, I’ve put together a non-exhaustive list of 10 questions to ask your colleagues about the GDPR. Whether you’re just starting out or already on the road these will hopefully act as a good starting point to identify areas that may still require attention.

Have we located every digital store of personal data in the organisation?

Are we regularly checking our data for personal or sensitive information where we wouldn’t expect it to be?

Have we catalogued personal data in a way that supports on-going data quality management?

Are we confident that we can turn around Subject Access Requests within one month?

Do we know what would happen if we received hundreds of SARs at the same time?

You may have answered No to one or more of these questions. The first thing to point out if you have more No’s than Yes’ is not to worry too much. There is still time to prepare your data and associated technologies and processes for GDPR. It would be best though not to delay things much longer.

Three steps to laying the foundations for GDPR implementation

From the conversations I’ve been having with organisations of all sizes, it is apparent that there will be some gaps or unknown areas for many. So what can you do about these unknowns?

Step 1

Firstly, Investigate. What are the priorities for your organisation? If you’ve not yet prioritised your GDPR preparations or haven’t challenged previous assumptions, there are several ways you can do this from both a business-centric and data-centric perspective. What’s important though is to keep asking questions around how GDPR readiness can bring benefits to your customers, colleagues and citizens.

Step 2

Next, Improve. From underlying data accuracy to the systems and processes that support Consent and SARs – breaking your readiness program down into chunks and planning each piece now will enable you to focus your resources up to May 2018 and beyond. There will be work for every organisation and taking a pragmatic approach will ensure the ‘big ticket’ items are tackled first.

Step 3

Finally, Integrate. You may need to train your users on the regulations as well as the new processes and systems that you will be bringing in. The sooner you do this, the more prepared they will be. Alongside that you will also want to stress test those processes, policies and tools. If you’re embarking on a data accuracy improvement scheme too – get this re-integrated into your systems, build a data quality firewall and ensure that your data accuracy is monitored and reported on to spot degradation before it creates risk.

As I said above, these 10 questions are by no means the only ones you should be asking. However, if you answered 'No' to any of them and are keen to ensure the benefits of GDPR can be realised, speak to Experian about our full suite of services that can support your GDPR preparations. Many of our clients start with a GDPR Readiness Assessment which helps them to use their data quality to zero in on potentially unknown issues across their business. For information on this assessment, more services and a range of white papers and other resources, visit the GDPR pages on our website.

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.

Experian Ltd is authorised and regulated by the Financial Conduct Authority. Experian Ltd is registered in England and Wales under company registration number 653331.Registered office address: The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham NG80 1ZZ.